Review of Policy

Company Directors (or equivalent) are responsible for reviewing the Information Security Policy annually or after a serious issue.

User Access and Controls

Any system that handles valuable information must be protected with a password-based access control system.

Every user must have a separate, private identity for accessing IT network services.

Identities should be centrally created and managed. Single sign-on for accessing multiple services is encouraged.

Discretionary access control list must be in place to control the access to resources for different groups of users.

Mandatory access controls should be in place to regulate access by processes operating on behalf of users.

Access to resources should be granted on a per-group basis rather than on a per-user basis.

Access shall be granted under the principle of “least privilege”, i.e., each identity should receive the minimum rights and access to resources needed for them to be able to perform their business functions.

Whenever possible, access should be granted to centrally defined and centrally managed identities.

Users should refrain from trying to tamper or evade the access control to gain greater access than they are assigned.

Automatic controls, scan technologies and periodic revision procedures must be in place to detect any attempt made to circumvent controls.

Using administrative credentials for non-administrative work is not allowed.

IT administrators must have two set of credentials: one for administrative work and the other for everyday work.

Test accounts are allowed but cannot be used for Administrative or everyday work and should be deleted as soon as they are no longer required.

Password

Passwords must meet the following complexity requirements:

Each identity must have a strong, private, alphanumeric password to be able to access any service. They should be as least 8 characters long.

Administrative passwords must be at least 12 characters long.

Password for some special identities will not expire. In those cases, password must be at least 12 characters long.

Whenever a password is deemed compromised, it must be changed immediately.

Sharing of passwords is forbidden. They should not be revealed or exposed to public sight.

Identities must be locked if password guessing is suspected on the account.

General classification of data

All data within Fine Cut is regarded as business confidential unless otherwise stated.

Business confidential data:

Should not be shared with people outside of the organisation without prior approval by Company Directors.

Should only be shared within the business on a least privilege model.

Should only be stored on Fine Cut controlled systems.

Should be secured by an individual user ID and Password.

Basic Data Protection Requirements

All Fine Cut controlled systems containing personal information as defined in the Data Classification document must be protected in alignment with corporate standards and best practice.

Specifically, where a system is in the:

Production and DR datacentre.

Fine Cut office corporate network.

A system must operate:

Up to date anti-malware.

Be appropriately patched.

Where a system (including laptops and mobile phones) is operated outside of these environments the device must also operate:

Encryption.

Data transfer

Data transfer containing personal, business confidential or special category data must follow either of the following rules:

When transferred outside of the organisation on a network it must be via secure mechanisms such as TLS or the data must be encrypted.

When transferred on a portable device such as a flash drive or laptop outside of the organisation it must be encrypted.

Information awareness training

Information security training must be given to all staff during their induction.

Ongoing training must be given at regular intervals to ensure that all staff are aware of current policies.

Physical Security of IT Systems

IT Systems that store data or provide access to data must be in a server room:

That is locked and controlled separately by key card.

That has environmental monitoring and alerting.

Where access to the server room is logged and a reason recorded.

Where access is by authorised personnel only.

That is in an area not open to the general public.

Within a building that has CCTV.

That has UPS.

That has a generator.

That has air conditioning.

IT Systems that are in remote offices can only be used for authentication, routing of network or storing non-personal data other than personal data that is required for authentications purposes. These IT Systems must be in a server room:

That is locked.

That has environmental monitoring and alerting.

Where access is by authorised personnel only.

That is in an area not open to the general public.

Terminated Users

A terminated user includes all users that are no longer employed or contracted by Fine Cut. On a user’s last day, the following must be executed or configured:

The terminated users account(s) must have the password changed.

All access to IT Systems will be revoked.

All Fine Cut IT supplied equipment must be returned.

If for any reason the user is keeping Fine Cut supplied IT equipment it must be reset to factory settings, all data securely erased and logged as now owned by the terminated user.

Further access to Fine Cut buildings will be as a visitor and they must be escorted.